I found this post on a blog about a vulnerability with the Qualcomm boot. I can't even begin to explain it but could this help us find a way to root?
LINK: https://bits-please.blogspot.com/20...howComment=1462371232579#c7966216604060424834
Fredo2000 said:
I found this post on a blog about a vulnerability with the Qualcomm boot. I can't even begin to explain it but could this help us find a way to root?
LINK: https://bits-please.blogspot.com/20...howComment=1462371232579#c7966216604060424834
Click to expand...
Click to collapse
This is a trustzone vulnerability that requires root to exploit it. No way to gain root through it
jcase said:
This is a trustzone vulnerability that requires root to exploit it. No way to gain root through it
Click to expand...
Click to collapse
Ah damn. Thanks for letting me know anyways
Not so - this vulnerability requires "mediaserver" permissions to execute and can be used to achieve root (see latest blog post).
Also, I'm releasing another exploit which allows escalation from zero permissions to "mediaserver" which works on all Android versions and phones.
Wow that's an impressive exploit. Congrats for finding it and explaining it in your write up. Have you been able to use it on an unrooted device like ours to gain root? What about the S7 edge that is chained down at the moment? Sounds like you might have an opportunity to cash in on the large bounties for both devices! Once again great work!!
Sent from my LG-H830 using XDA-Developers mobile app
Thanks. I've used the exploit to gain kernel code execution (better than root, since you can disable SELinux, etc.). The QSEE payload I provided should work as-in, since it's symbol-less (finds all the symbols directly in memory). As for the QSEE exploit; you'll need to change the symbols (under symbols.h) to match the Widevine application on your phone. As for the S7 edge - I know nothing about it (have never checked), but I can take a look in a couple of days when I'm at home.
How long did it take to discover and work on this exploit? I'm just a lay person that likes to root phones but I imagine this takes a ton of time to work on. I hope you submit your work and publish a root method and cash in on ~$5000 worth of bounties for all your hard work. And I hope Google implements your fixes soon to patch the holes you have discovered.
Sent from my LG-H830 using XDA-Developers mobile app
laginimaineb said:
Thanks. I've used the exploit to gain kernel code execution (better than root, since you can disable SELinux, etc.). The QSEE payload I provided should work as-in, since it's symbol-less (finds all the symbols directly in memory). As for the QSEE exploit; you'll need to change the symbols (under symbols.h) to match the Widevine application on your phone. As for the S7 edge - I know nothing about it (have never checked), but I can take a look in a couple of days when I'm at home.
Click to expand...
Click to collapse
Wow... This is all some seriously great stuff! If you have some time I would love to talk with you about how to get this working on the Sprint G5
laginimaineb said:
Thanks. I've used the exploit to gain kernel code execution (better than root, since you can disable SELinux, etc.). The QSEE payload I provided should work as-in, since it's symbol-less (finds all the symbols directly in memory). As for the QSEE exploit; you'll need to change the symbols (under symbols.h) to match the Widevine application on your phone. As for the S7 edge - I know nothing about it (have never checked), but I can take a look in a couple of days when I'm at home.
Click to expand...
Click to collapse
If you can modify the kernel, can you disable dm-verity?
If so, I think you might have just found root for our device...
I suggest that you first check if the G5 is even vulnerable to the QSEE vulnerability I disclosed... (extract the "system_" files from the KDZ and the DZ and search for the string "PRDiag"). Since I disclosed the vulnerability a few months ago, it could be patched on the latest version, but might still be vulnerable on previous ones.
Also, as for dm-verity - the QSEE exploit allows full system memory RW (which allows you to patch a running kernel and basically inject arbitrary code). But (!) you probably want to disable dm-verity at boot, which would require a bootloader unlock.
...Which brings me to my last point - If the LG G5 is vulnerable to the QSEE exploit I disclosed, I'm also releasing a QSEE to TZBSP (TrustZone kernel) exploit, which means you can blow any QFuse you like (which is the standard way to disable secure boot).
laginimaineb said:
I suggest that you first check if the G5 is even vulnerable to the QSEE vulnerability I disclosed... (extract the "system_" files from the KDZ and the DZ and search for the string "PRDiag"). Since I disclosed the vulnerability a few months ago, it could be patched on the latest version, but might still be vulnerable on previous ones.
Also, as for dm-verity - the QSEE exploit allows full system memory RW (which allows you to patch a running kernel and basically inject arbitrary code). But (!) you probably want to disable dm-verity at boot, which would require a bootloader unlock.
...Which brings me to my last point - If the LG G5 is vulnerable to the QSEE exploit I disclosed, I'm also releasing a QSEE to TZBSP (TrustZone kernel) exploit, which means you can blow any QFuse you like (which is the standard way to disable secure boot).
Click to expand...
Click to collapse
My god... you are the MAN!!! I'll check for the files ASAP (currently doing mother's day stuff) and report back.
Also, how can I donate to you?
jcase said:
This is a trustzone vulnerability that requires root to exploit it. No way to gain root through it
Click to expand...
Click to collapse
so you are wrong then? this CAN be used to get root?
laginimaineb said:
Not so - this vulnerability requires "mediaserver" permissions to execute and can be used to achieve root (see latest blog post).
Also, I'm releasing another exploit which allows escalation from zero permissions to "mediaserver" which works on all Android versions and phones.
Click to expand...
Click to collapse
Correct, bad wording on my part. However on this phone it really makes no difference, it is actually easier to gain execution as root than it is on mediaserver. This phone is /BAD/ as far as security is concerned. Multiple bootchain backdoors, beyond broke backup system, known kernel vulns left unpatched, heavily (and poorly) modified stagefright as well. We already have root on the phone, root was never the issue, issue was code signing (which was being worked on until someone shared my root knowing i didnt want it shared). LG is enforcing signature validation and dm-verity on this device, just a heads up.
If you release anything compatible with this phone, make sure the users know not to alter laf/recovery/boot/system. They will anyways, and blame you, but at least you warn them.
I sold my G5 after the drama here, so I am no longer working on it.
Syndicate0315 said:
so you are wrong then? this CAN be used to get root?
Click to expand...
Click to collapse
I was technically be wrong, but really makes little difference if the starting point is media server or root. It is honestly easier to get exec as root on this phone than media server. I have already demonstrated that root is not an issue on this device, issue is code signing. This vulnerability does not give you what you guys want, similar to the one of mine that everyone is passing around and emailing me daily about after I put in the read me that it will not do what you want. No one listens.
laginimaineb said:
I suggest that you first check if the G5 is even vulnerable to the QSEE vulnerability I disclosed... (extract the "system_" files from the KDZ and the DZ and search for the string "PRDiag"). Since I disclosed the vulnerability a few months ago, it could be patched on the latest version, but might still be vulnerable on previous ones.
Also, as for dm-verity - the QSEE exploit allows full system memory RW (which allows you to patch a running kernel and basically inject arbitrary code). But (!) you probably want to disable dm-verity at boot, which would require a bootloader unlock.
...Which brings me to my last point - If the LG G5 is vulnerable to the QSEE exploit I disclosed, I'm also releasing a QSEE to TZBSP (TrustZone kernel) exploit, which means you can blow any QFuse you like (which is the standard way to disable secure boot).
Click to expand...
Click to collapse
Blowing fuses is the standard way of enabling secure boot, not disabling. These phones already have that fuse blown. The more recent LG phones have used a signed blob to "unlock" (as far as the ones I've looked at), they are not following the motorola method of blowing a fuse.
The TMobile LG G5 is actually unlocked, all these guys need to do is pack twrp into a TOT (pretty much a raw image with a header) and flash it in download mode.
Fredo2000 said:
If you can modify the kernel, can you disable dm-verity?
If so, I think you might have just found root for our device...
Click to expand...
Click to collapse
He can modify the kernel at run time with this exploit, but not the binary image of it, nor the ram disk that has the settings to enforce dm-verity. It would still need an exploit to get exec in the proper user/context as well as a codesigning exploit
jcase said:
Correct, bad wording on my part. However on this phone it really makes no difference, it is actually easier to gain execution as root than it is on mediaserver. This phone is /BAD/ as far as security is concerned. Multiple bootchain backdoors, beyond broke backup system, known kernel vulns left unpatched, heavily (and poorly) modified stagefright as well. We already have root on the phone, root was never the issue, issue was code signing (which was being worked on until someone shared my root knowing i didnt want it shared). LG is enforcing signature validation and dm-verity on this device, just a heads up.
If you release anything compatible with this phone, make sure the users know not to alter laf/recovery/boot/system. They will anyways, and blame you, but at least you warn them.
I sold my G5 after the drama here, so I am no longer working on it.
I was technically be wrong, but really makes little difference if the starting point is media server or root. It is honestly easier to get exec as root on this phone than media server. I have already demonstrated that root is not an issue on this device, issue is code signing. This vulnerability does not give you what you guys want, similar to the one of mine that everyone is passing around and emailing me daily about.
Click to expand...
Click to collapse
sorry if this is me just being ignorant, but if we gain root on a device with an unlocked bootloader (t mobile), can't we flash root from an app on the phone, boot into recovery, and then flash the disable-dm-verity zip provided on the other thread?
And also, how is gaining root not a problem? Is it through the LAF backdoor?
Syndicate0315 said:
sorry if this is me just being ignorant, but if we gain root on a device with an unlocked bootloader (t mobile), can't we flash root from an app on the phone, boot into recovery, and then flash the disable-dm-verity zip provided on the other thread?
And also, how is gaining root not a problem? Is it through the LAF backdoor?
Click to expand...
Click to collapse
Pack TWRP in tot, flash in download mode. I've said this since day one, you dont need an exploit to root the tmobile variant. Writing an exploit for tmobile lg g5 is a waste of time and resources. Pack TWRP in TOT, flash tot, be done.
Root isn't a problem because the device has multiple publicly known vulnerabilities (and at least one written exploit) that work on it.
jcase said:
Pack TWRP in tot, flash in download mode. I've said this since day one, you dont need an exploit to root the tmobile variant. Writing an exploit for tmobile lg g5 is a waste of time and resources. Pack TWRP in TOT, flash tot, be done.
Root isn't a problem because the device has multiple publicly known vulnerabilities (and at least one written exploit) that work on it.
Click to expand...
Click to collapse
ahhhh OK that makes MUCH sense...
i have the Sprint variant, what would be the best way for me to go about finding a permanent root? would any of these methods work?
Syndicate0315 said:
ahhhh OK that makes MUCH sense...
i have the Sprint variant, what would be the best way for me to go about finding a permanent root? would any of these methods work?
Click to expand...
Click to collapse
Dig through the bootchain, looking for a vulnerability you can use to bypass the secureboot (or otherwise bypass signing requirement of boot.img), or look at LG's code in regards to unlock, i wouldnt be surprised if a route existed there, LG is notoriously bad at "security" features.
jcase said:
Pack TWRP in tot, flash in download mode. I've said this since day one, you dont need an exploit to root the tmobile variant. Writing an exploit for tmobile lg g5 is a waste of time and resources. Pack TWRP in TOT, flash tot, be done.
Root isn't a problem because the device has multiple publicly known vulnerabilities (and at least one written exploit) that work on it.
Click to expand...
Click to collapse
hate to see you've sold your G5. unfortunately, there is no tot for h830. however, sprint has one. I am unsure as to how one can create a tot.
I just need some help. I have been using a guide which was working perfectly at first but then it failed due to a faulty battery. Got a new battery and its still not rooting properly. If anyone is will to share some guidance I would really appreciate it.
MICONA14 said:
I just need some help. I have been using a guide which was working perfectly at first but then it failed due to a faulty battery. Got a new battery and its still not rooting properly. If anyone is will to share some guidance I would really appreciate it.
Click to expand...
Click to collapse
Why would root fail due to a flauty battery?
Install a custom recovery first then flash SuperSU. Use Odin. Check YouTube. Flash twrp. Then flash SuperSU. You have a custom recovery and root. If you want only root try alps like kingroot.
The faulty battery didn't have enough power to turn the phone back on after the root made it reboot. It just kept putting it into a bootloop.
The guide I was using said to use Kingroot to temproot it (it rooted once and then got stuck in the bootloop, which is were the phone is currently now) and then SuperSU to perm root it but now I can't even get more than 55% with Kingroot before it shuts itself down.
I thought the bootloop was my fault from ****ing with it so I flashed twrp onto it and it now has a little broken lock that says custom over it but the twrp commands don't come up so I still can't put the ROM on it.
If your on 5.1.1 better use kingoroot for a high success rate and after that you NEED to unlock bootloader first and then flash twrp. If you dont unlock bootloader you cant flash twrp.
Sent from my SM-N910V using XDA-Developers mobile app
rodynares said:
If your on 5.1.1 better use kingoroot for a high success rate and after that you NEED to unlock bootloader first and then flash twrp. If you dont unlock bootloader you cant flash twrp.
Sorry I am new to this ****, I don't know how to unlock bootloader?
Click to expand...
Click to collapse
MICONA14 said:
rodynares said:
If your on 5.1.1 better use kingoroot for a high success rate and after that you NEED to unlock bootloader first and then flash twrp. If you dont unlock bootloader you cant flash twrp.
Sorry I am new to this ****, I don't know how to unlock bootloader?
Click to expand...
Click to collapse
Why would you use Kingroot or Kingoroot if not to unlock the bootloader? Neither will give you a stable root and both have the potential of calling home to China with your personal data.
If you need to unlock your bootloader there are threads in this subforum that will tell you how to do it. However, I'd strongly suggest that you do some serious study into what you're doing and why before you attempt it.
Click to expand...
Click to collapse
Why would you use Kingroot or Kingoroot if not to unlock the bootloader? Neither will give you a stable root and both have the potential of calling home to China with your personal data.
If you need to unlock your bootloader there are threads in this subforum that will tell you how to do it. However, I'd strongly suggest that you do some serious study into what you're doing and why before you attempt it.[/QUOTE]
My roommate from college was telling me to do this and was helping me but he did a half as way of explaining this stuff so thats why I came here. The Kingroot and Kingoroot is to unlock bootloader? I thought they were for a temproot? Not to be a pest but would you be so kind to explain?
MICONA14 said:
Why would you use Kingroot or Kingoroot if not to unlock the bootloader? Neither will give you a stable root and both have the potential of calling home to China with your personal data.
If you need to unlock your bootloader there are threads in this subforum that will tell you how to do it. However, I'd strongly suggest that you do some serious study into what you're doing and why before you attempt it.
Click to expand...
Click to collapse
My roommate from college was telling me to do this and was helping me but he did a half as way of explaining this stuff so thats why I came here. The Kingroot and Kingoroot is to unlock bootloader? I thought they were for a temproot? Not to be a pest but would you be so kind to explain?[/QUOTE]
You need temporary root at which time you can deploy the exploit that will unlock the bootloader and give you full root. That's what Kingroot or Kingoroot do for you. What they may or may not do for you is give your phone cooties and call home to China with your personal information.
Can I hold your hand and walk you through rooting your phone? Yeah, I could, but I won't. The guys that developed the exploit think it's a good idea for someone to have at least a clue as to what they're doing. I happen to agree with that. Rooting is fairly safe for your phone so long as you're willing and able to follow directions exactly.
Read up on the process of rooting. There are three or four threads in the general section that tell you how. If you think you're up for it, do it.
Because I never rooted my H918 and the replacement from T-Mobile insurance for bootloop issue came with H91810Q already installed, I have been looking for a way to possibly gain root access. Because an exploit will be needed for now, though there is some interesting looking work with modifying LG UP, I found this:
http://www.cvedetails.com/vulnerabi...r-2017/opec-1/Linux-Linux-Kernel-3.18.31.html
I'm not as familiar with coding or exploits as I would like to be, and not sure if I understand if this will give the necessary access but thought I would share for those that DO know and might point me in the right direction or explain if this would work or why it would not.
The exploit you are referring to is Blueborne. That doesn't help us. It is a bluetooth exploit that gains access to the phone. It allows the exploiter control over your phone, as in a thief who steals your phone now has control over it. That doesn't mean the thief could root it. Unless it's a dev on xda, but so far none have done it.
The dirty cow exploit no longer works after 10j firmware and since you can't roll back from 10q, no TWRP, no root.
Is this possible in any way? Will it be possible soon? Thanks.
The only way to root without a PC that I know of is an app like King Root. But you don't want King Root. It only works on certain phones and probably not this one because dual partitions make it much more difficult even if you have a computer. But King Root is pretty much malware. It loads adware onto your phone, sends unrestricted data to servers in China and refuses to give root access to any app that King Root considers a threat to any action that King Root wants to perform on your phone. The fact that anyone actually uses the app is unbelievable to me. There may be an auto root app that is less malicious but probably nothing that would work on this phone.
pementosequence said:
Is this possible in any way? Will it be possible soon? Thanks.
Click to expand...
Click to collapse
You need an unlocked bootloader.
You need a computer to unlock the bootloader.
You need a computer to flash the images.
There is no way to OEM unlock without a computer.
tech_head said:
You need an unlocked bootloader.
You need a computer to unlock the bootloader.
You need a computer to flash the images.
There is no way to OEM unlock without a computer.
Click to expand...
Click to collapse
King Root actually works on some phones where the bootloader can't be unlocked. That was the only reason I tried that garbage app but any benefits from rooting aren't worth the problems caused by the app. If the bootloader is locked but you are rooted you can run apps that require root access like Titanium Backup (as long as King Root doesn't block root access like it does with Adaway) but you can't flash a custom kernel or custom ROM.